How to extract xml value having multiple same chil...

Vkeshar · ‎09-09-2022

I have following sample XML event where I want to extract specific value for a child tag . Ex when <Order fact> value is 'Place' then extract <Orderupdatevalue> which is false

<OrderUpdateField>
<OrderFacts>Place</OrderFacts>
<OrderDataType>String</OrderDataType>
<OrderUpdateValue>False</OrderUpdateValue>
<OrderFacts>Number</OrderFacts>
<OrderDataType>Integer</OrderDataType>
<OrderUpdateValue>1</OrderUpdateValue>
<OrderFacts>Location</OrderFacts>
<OrderDataType>String</OrderDataType>
<OrderUpdateValue>Earth</OrderUpdateValue>
</OrderUpdateField>

kamlesh_vaghela · ‎09-26-2022

@Vkeshar

It looks like you need the first value from multivalued data.

Can you please try this?

YOUR_SEARCH | spath
| eval OrderFacts=mvindex('OrderUpdateField.OrderFacts',0), OrderUpdateValue=mvindex('OrderUpdateField.OrderUpdateValue',0)
| table OrderFacts OrderUpdateValue

My Sample Search :

| makeresults | eval _raw="<OrderUpdateField>
     <OrderFacts>Place</OrderFacts>
     <OrderDataType>String</OrderDataType>
      <OrderUpdateValue>False</OrderUpdateValue>
     <OrderFacts>Number</OrderFacts>
     <OrderDataType>Integer</OrderDataType>
     <OrderUpdateValue>1</OrderUpdateValue>
     <OrderFacts>Location</OrderFacts>
    <OrderDataType>String</OrderDataType>
    <OrderUpdateValue>Earth</OrderUpdateValue>
</OrderUpdateField>" | spath
| eval OrderFacts=mvindex('OrderUpdateField.OrderFacts',0), OrderUpdateValue=mvindex('OrderUpdateField.OrderUpdateValue',0)
| table OrderFacts OrderUpdateValue

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

How to extract xml value having multiple same child tag?

XML

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

How to extract xml value having multiple same child tag?

XML

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk